Yesterday, there were two isolated incidents of a troll user ("BritishEnglshPolice" - note the lack of an "i" in "English") using social engineering tactics to trick moderators into modding trolls. In this instance, two moderators were messaged by a fake BritishEnglishPolice (moderator of /r/pics, /r/IAmA, and many more) requesting their "alt accounts" be temporarily modded for one reason or another. Those alt accounts turned out to be trolls, who immediately started modding other users.

This happened to both /r/IAmA and /r/pics. Moderators and reddit admin caught /r/pics before anything significant changed on the subreddit (a bit of a change in the sidebar was all). However, /r/IAmA was affected for about four minutes, with the masthead changed to a pornographic image, as well as drastic changes to the css, and removal of content. The trolls even managed to message other users in /r/IAmA's modmail.

Once discovered, the trolls were removed as moderators, and the real mods cleaned everything up. In a matter of minutes, everything was back to normal. We don't have statistics on how many users were potentially affected, though.

What to take away from this:

Be cautious, always

Always check that users are who they say they are (click their username)

No moderator should need another moderator to add their "alt" to the subreddit

It's always a good idea to use modmail or other pre-arranged communication methods - Never trust a message that was sent via another method

Communicate with your fellow moderators when you see strange requests

Because this tactic worked 2 out of 2 times, it's highly likely it will be attempted by troll users again, so stay vigilant. Don't hesitate to contact your fellow moderators or the admins whenever you see suspicious activity.

Most are not frequent contributors at least not from any first glance by their user history.

If you look at any of the subreddits I mod. I am not a frequent contributor in the sense of posting a lot. But I spend my time molding a subreddit to be its best and am not power trip crazy. I put the best intentions forward and can help subreddits get better. But if I go in and ask if they need a mod position they don't know that I am constantly reading comments and spending my time on the subreddit. My comment history shows very little of that even though I am quite active in voting. Just because you comment a lot doesn't make you a great person to be a mod.

I don't know where I am going with this. I am tired and it is late. But there's a catch 22 there, I know it. :p

A small subreddit? That's when a mod needs to be a heavy contributor. I built /r/Scrubs when it was just 2 subscribers. It's a lot of self-promotion in comments. For example when you find something relating to your subreddit somewhere else you put a mention in the comment string of a popular thread. But you have to be witty enough with your comment so it doesn't just look like a link to your subreddit.

Finding other subreddits like your own but different and exchanging links can help as well.

Also some kind of custom CSS goes a long way. It makes you subreddit not look abandoned even when there are few subscribers. You obviously need to know what you're doing or it could scare people away if it is ugly.

Once you pass the 1000 threshold it can get a bit easier, but still self-promotion in comments will continue to grow. Around 8k other users start doing that for you. Once you get around there then it is going to continue to grow on its own most likely. It depends on the subreddit. If it's more niche like /r/graphic_design self promotion will always be a good thing.

Some subreddits just won't grow that much. My expectations for /r/Scrubs is much smaller. /r/Zelda I joined when it was just 900. posting in /r/gaming threads was very important back then. Now it is massive and I don't worry about promotion, I worry about quality control.

I typically make a modpost stating that I could use some extra help, and let applications open up. Otherwise if a user asks to be a mod, I just say we don't need one at the present time, but to feel free to try during an application period. Backfired once, I picked a troll with an otherwise clean account, but that could happen to anyone.

This is a policy that needs to be lived by for all moderators. More than once have I seen subreddits destroyed from this, it's an ugly scenario. The way it cripples the communities trust in the moderators is the most tragic part.

To be fair, I had been very active and "playing mod" for some time before applying. I didn't just message the mods and cross my fingers. But yes, I did the asking. I would probably never have gotten in otherwise.

How does this applies to this case? The one that made them moderators believed it was the real "BritishEnglishPolice", a moderator asking for his alts to be moderators, not just a random user asking to be a moderator.

We've looked into this and, right now, we believe that they have not accessed any personal information of past IAmA users. (Luckily, it's rather difficult to actually get to past modmail messages, and they had a very limited amount of time.)

Because mod mail deals specifically with authority, and to help in disputes, I guess that mod mail serves as evidence. On the other hand, deleting modmail would allow mods to abuse their power and erase the evidence of their wrongdoings.

Just restricting how much modmail new mods can see would be enough, maybe new mods shouldn't be able see old modmail that's older than 7 days. Or implement something that would disable all mod features for 24h for the new mod.

A couple months ago a user used this exact technique to become a moderator of a subreddit which I mod. He modded a bunch of his friends and proceeded to tear the subreddit apart (it wasn't a small subreddit either, it has over 7k subscribers). I sent a message to reddit admins, and not one damn thing was done about this. I hope you guys are willing to take this more seriously now. If you would, please follow up with me about this, as I have irrefutable proof of who did it, they bragged about it extensively.

Tangentially relevant: I once encountered a user requesting to become a moderator of my subreddit, which was under 500 subscribers at the time. I checked him out and he apparently mods ten or twelve (or more, I don't recall) subreddits for the purpose of staging 'mod wars' between other 'factions'. Some subreddits were willing participants and some were small subreddits taken over under false pretenses and used to promote the 'wars'. It was all very odd (though not against any rules I know of).

I had a user request mod access through mod mail for /r/jokes. I told him of the generally agreed upon rule that those who ask for power won't be considered. And based on the changes he wanted to make, he wasn't a fit to be a mod for us (he wanted to tailor /r/jokes to only include jokes HE found funny, and remove everything else when our current policy is let any joke remain, even if we didn't find it funny)

The other moderator made a rare appearance and agreed with me. He then turned around and PM'd the other mod directly asking for moderator privileges.

This is only funny to me because I recently subscribed to r/socialengineering because I'm a mental health professional and find it interesting. The funny part is that I was just made a mod of r/daddit. I'm not a troll, just poor timing.

Very cool. I never heard of a sociology major refer to themselves as a mental health professional. I'm a Social Worker my self. I haven't read either of those books but I'll take a look at them. Thanks!

Currently I am a Program Director at an NPO a friend and I started up after getting tired of working for soulless social service agencies focused on anything but helping the mentally ill. We do mostly county/state cases, and work to keep chronically mentally ill adults living as independently as possible in the community. Many of our peeps have spent a good deal of their life homeless and/or are on the constant verge of being homeless. Lots of drug and alcohol problems, but that is par for the course.

Wow!. Right now I'm the Program Director for a safety net program which aims to identify frail elderly and ids them them in reaching necessary services to help them stay safe in there homes. However, my employment is through a soulless community center/social service agency which only cares about numbers and will justify any way to make up clients in order to receive funding. However, I am overly interested in the work you are doing. My passion is working with chronically mentally ill (as well as people with substance abuse issues). My Masters thesis was on destigmatizing mental illness in the broader community and identifying the factors that might help or hurt the process of reintegration.

Outstanding. I gotta be honest though, a day doesn't go by when my friend, the Exec. Director and I don't ask ourselves 'what the hell have we gotten into?' The bureaucracy works so hard to make life hard to ensure some strange concept of 'quality' that it threatens the actual quality. Just today I joked that if we abandoned all our BS paperwork and just focused on helping our people our quality of assistance would increase ten-fold; until the government shut us down.

I love this business but damn I hate it.... I am also the agency comedian and morale officer, always striving to keep our employees from burning out. There are only 5 of us at our agency and the other director and I are probably the lowest paid directors in the state.

My mate actually put his beloved harley on the line to get a loan to start our agency: the guy is a saint but he is burning out sooo fast...

Going for my psychology degree and having to deal with anthropology classes. This stuff is really interesting but INCREDIBLY boring at the same time. For some reason the majority of it sticks with me but it's just some of the most boring information to know.

However, i was watching Jeopardy quite a long time back with some friends and one of the questions (well, answers but question format) was "What is the Pitdown Man" well when the answer popped up on the screen i started screaming it and my friends were like O.o "What?!" and I was right. It was the greatest feeling because everyone else just looked at themselves like they had absolutely NO clue and i became interesting for about 10 minutes as I explained it to them.

It then suddenly became the most useless and boring information again.

I almost, yet didn't double major with Anthro for these exact reasons, as well as the fact some of the anthro classes were downright difficult. One of the most challenging and enlightening were the linquistic anthropology. If you are interested in social engineering, than linquistic anthropology is a good place to mine information. The relation between how we influence our language and how our language influences us is informative. To this day I teach people how our use or lack of use of possessives have a great bearing in how we interact and view our world.

Haha. That's true, although I could have been like "Oh, I have this great idea to make a chat room" And shown you that I care and wanted to benefit the community and get "invited" in. Haha, just playing devils advocate though....

Yesterday, there were two isolated incidents of a troll user ("BritishEnglshPolice" - note the lack of an "i" in "English") using social engineering tactics to trick moderators into modding trolls. In this instance, two moderators were messaged by a fake BritishEnglishPolice (moderator of /r/pics, /r/IAmA, and many more) requesting their "alt accounts" be temporarily modded for one reason or another.

This is what happens when a moderator hierarchy is based on popularity and loyalty to particular factions: people who are too popular not to be trusted become the weakest point of security either through deception on that user's part or hijacking that user's account or credibility (as in this case, what is essentially identity theft coupled with "social engineering"). And this inevitably leads to a breach of trust, an actual security breach, or a failure of users to perceive social engineering attacks.

Moderators need to be more aware of who other mods are, their function, and establish a routine of always checking with another active moderator before implementing a feature or policy change.

I play an MMORPG that lacks currency. You need to trade lots of cheap items for expensive ones with other players. The trade window only holds 8 items at a time so you would need to give 8, go to your vault, give 8 more etc. etc. and then at the end pray they give you what you just paid for. This spawned a "vouch" system on the forums. The more people that vouched for someone the more trusted they were (provided the vouchers were recognized players).

So many scammers impersonated being trusted players, or being vouched by trusted players, that the entire system collapsed. The creator of the vouch thread deleted it once he realized it was a terrible idea. The scammers switched to using photoshopped screenshots showing themselves being vouched for by trusted players etc.

Then an item duplication method was discovered and the devs let it go unfixed for months and months and now everything in the game is worthless anyway. Oh well. Stopped the scamming I guess.

Yes, but yours has built-in mass appeal. Not as easy as trying to pitch /r/AnusFree, which of course is NSFW and exactly what it sounds like. I'm at about a week and (a shocking, to me at least) 11 subscribers.

So reddit decided to intervene in this instance, yet when troll mods took over /r/Catholic and turned the place into an Anti-Catholic priest-raping joke and held it ransom for $500, reddit decided it wasn't worth an intervention. Seems like a double standard.

To give you a serious response instead of some of the joke responses, /r/Catholic was granted to the moderators in a legitimate way, while the /r/IAma and /r/pics attempts were not done through already established and legitimate means.

IMHO, /r/Catholic should be handed over to someone who is going to actually make it a viable community, but given I have a catholic background, I'm a bit bias.

I understand the rationale by the admins, that this was done "legitimately". However, when a mod gains control over a subreddit through reddit request, then subsequently guts it, and completely flips the subreddit's intent, there should be an exception in certain circumstances that reverts the mods to the previous owners, or at least seeks new mods if there's enough interest.

However, this could create an unreasonable burden on the admins, getting them roped into all the subreddit drama, which is why I decided to not press the issue. But every once in a while it rears it's head, and I just have to get back on my soap box for a little while.

Not to mention there is ZERO involvement of the existing community when deciding if someone is allowed to hijack moderation. NO NOTICE WHAT SO EVER. So if you find a healthy, active /r/ where the mod is MIA, you can take it over with complete impunity.

A 'bit bias?' Yeah, I'd say so. Especially against fellow Catholics. FYI I'm the person who took over /r/Catholic and I fully plan to also take over /r/Catholicism the day Saint_Peter here becomes inactive. He's so arrogant and paranoid he has learned nothing from this and refuses to appoint other mods (the easiest way to avoid this dispute).

I love how the subreddit must be given to a certain "holy" person. The content itself has improved and now the spam filter is fully staffed. But hey, that's irrelevant.

The only case of "reddit intervening" is this post, which is nothing more than a warning message to moderators. The admins didn't take any action, but rather the mods of the respective subreddits reverted the changes that were made, on their own.

Just use the completely anonymous "message the moderators" box below and we shall hear your confessions. We shall respond within the hour with what prayers you need to recite to be completely forgiven of any and all sins.

If one can not defend themself against social engineering they do not deserve to be a mod of a major reddit. Period. Especially in a reddit like a drama inducing reddit. If you fall for it you are no good as a mod.

Although IP bans may be a bit harsh as a moderator function, is there a similar power that could be flexed from those at Superfriends Headquarters (Reddit HQ) that could be done at that kind of level?

Not to put any more work burden on the admins, but short of swinging the ban hammer, trolls will be trolls and creating multiple spam accounts is a time consuming effort that could be at least relatively mitigated by this kind of action...

Not all the time, we used to test for compliance (finance company) and start with the really simple 'Hi, it's bob from tech support, your computer has a problem, can I have the name and number from the front? OK, now I need your password...' and then work from there (30% success rate from an internal line, about half that from an external line within 6 months of training). It's about making someone think you are someone you are not who is entitled to something, in this case the fake account is the 'cover' the request is what it is..

That's actually quite reasonable.. I've had people give passwords and other information to random people, without ID's walking in and telling them they are going to fix their computer. Essentially if you tell someone that you are from tech support (even in a company with only 2 techies servicing a particular area..) and that they had a report that their computer was 'running slow' they will tell you damn near anything.

It's kind of lame social engineering though, like password guessing is to hacking. It would've been more impressive if he used his mod power to convince more and more people of a specific thing by undermining the balance of bias in IAmA and then subsequently take over all of reddit under the image of a benevolent and capable volunteer while secretly using this power for his own goals.

It's kind of lame social engineering though, like password guessing is to hacking.

Most social engineering is pretty lame, the lamest attempts can be pretty spectacular though (its amazing what you can do with a clipboard and a walkie talkie).

It would've been more impressive if he used his mod power to convince more and more people of a specific thing by undermining the balance of bias in IAmA and then subsequently take over all of reddit under the image of a benevolent and capable volunteer while secretly using this power for his own goals.

Well yeah, but he still managed to get elevated privileges on a default subreddit on the worlds 139th most popular website.

If you have a clipboard, walkie talkie, and a name badge you can do anything. You are a god. You can make up a company and make a badge for them. People see a badge and "oh, well, shit he has a badge".

thanks -- i was expecting to be quickly down voted but good to know other people know what he is like..... but that makes it more disappointing someone as dishonest / childish as him is mod of many sub reddits

This happened because some people were foolish, obviously, but also because one mod had no problem with modding another mod's alt account, which would have been pretty insidious on its face, even it hadn't been part of a troll. If BEP did something shitty and there was an outcry, he could then demod his BEP account and continue on using the alt. This wasn't acceptable when it turned out karmanaut had done it with ProbablyHittingOnYou, and it shouldn't be acceptable practice in general.

If you use RES hover over the username to check account age. If its a troll, it'll be at most a few days I a few weeks. BEP would r years. Very easy to catch if you take the extra few seconds to check account age.

Oh man... I was affected. In the Rotten Tomato AMA I saw a Game of Trolls sigil. And an overweight woman spread her legs. It ruined my day. I had to stop reading and fap immediately and ended up missing my opportunity to ask my question.

over at /r/gamegrumps there was a troll impersonating a moderator to try to insult users, ask for passwords and requesting that all the moderators have reddit gold purchased for them. We have dealt with the troll since.

I recently started a small subbed sit and already have three guys helping me out. Some messaged me about modship, others didn't. But they all had contributed a lot more to the subreddit that most. One of then even spent their own time designing and redesigning a banner, and is working on other cool features. If the people are right for the job, and display that, don't hesitate to accept their requests for modship.

I relish the opportunity to shut down trolls. I honestly can't believe that worked, it's quite sad that it worked, I mean this is how to deceive 101. Thankfully all the mods of /r/diablo are really tight nit.

IPs are easy to change and if you ban a range, you can potentially bans hundred of people. IP bans are pointless. Even the dumbest trolls have gotten around them for years. I remember using proxies in the 90's to get around IP bans.

No system is infallible though, Email got junk mail, Facebook got fake profiles (as did myspace). the only way a system would be infallible would be if it was closed and all the members were 100% trustworthy and secured and didn't let anyone else have access.

No system is infallible however, I think, Reddit has reached the point where it has become an attractive target. It is already annoying that a person can create as many alternate handles as they want and game the system or the bots used to pump up certain posts which are just cover for marketing, etc...

actually I had the account for six years, didn't actually really use it until the downfall of digg and my discovery of reddit enhancement suite (which made reddit more appealing to me)
Someone could easily just make an account, leave it sit for a year or two, then start posting frequently and nobody would notice except for karma.

Never trust it if the user is from /r/mensrights or their affiliated subs. Look what demmian and impotent_rage did to /r/feminism -- although for some reason the admins are no help correcting that situation (hint hint, Dacvak)